This is the mail archive of the java@gcc.gnu.org mailing list for the Java project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
Hi Tom, I had a closer look at libgcj's code since the release of GCC 4.0 The first big flaws that are found are: - SecurityManager.checkPermission() does not call AccessController.checkPermission() (it is commented out) - AccessController.getContext() generates a dummy context with empty ProtectionDomains instead of walking through the call stack. - AccessController.doPrivileged() set of methods look like stubs. There is an open bug in bugzilla: nr 13604 about the context not being generated. This means there is no security checks done at all. Even though all the rest (java.security.Policy, java.security.Security...) seems to be implemented OK. Is the signature/certificate of jars taken into account when loading a jar? Minor fixes should bring libgcj close to the java 2 security model. This is encouraging -- StÃphane Konstantaropoulos - Research Student, Computer Science -- University of York, http://www-users.cs.york.ac.uk/~stephane
Attachment:
signature.asc
Description: This is a digitally signed message part
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |